From f088602a82c71ada71da4bacfa748f61db2573fb Mon Sep 17 00:00:00 2001 From: jerry-shao Date: Sat, 6 Apr 2024 16:03:52 +0100 Subject: [PATCH 1/2] feat(iam): Adding managedPolicyName to IManagedPolicy --- .../lib/elastic-beanstalk/deploy-action.ts | 5 +++-- packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts | 9 +++++++++ packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts | 3 +++ 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts index 89d6d4295d02f..9784f27f707f8 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts @@ -1,6 +1,6 @@ import { Construct } from 'constructs'; import * as codepipeline from '../../../aws-codepipeline'; -import { Aws } from '../../../core'; +import { ManagedPolicy } from '../../../aws-iam'; import { Action } from '../action'; import { deployArtifactBounds } from '../common'; @@ -52,7 +52,8 @@ export class ElasticBeanstalkDeployAction extends Action { // Per https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html // it doesn't seem we can scope this down further for the codepipeline action. - options.role.addManagedPolicy({ managedPolicyArn: `arn:${Aws.PARTITION}:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk` }); + // options.role.addManagedPolicy({ managedPolicyArn: `arn:${Aws.PARTITION}:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk` }); + options.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess-AWSElasticBeanstalk')); // the Action's Role needs to read from the Bucket to get artifacts options.bucket.grantRead(options.role); diff --git a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts index 4c335cf38b489..e10303ae60fb7 100644 --- a/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts +++ b/packages/aws-cdk-lib/aws-iam/lib/managed-policy.ts @@ -19,6 +19,12 @@ export interface IManagedPolicy { * @attribute */ readonly managedPolicyArn: string; + + /** + * The name of the managed policy + * @attribute + */ + readonly managedPolicyName: string; } /** @@ -117,6 +123,7 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl resource: 'policy', resourceName: managedPolicyName, }); + public readonly managedPolicyName = managedPolicyName; } return new Import(scope, id); } @@ -143,6 +150,7 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl public static fromManagedPolicyArn(scope: Construct, id: string, managedPolicyArn: string): IManagedPolicy { class Import extends Resource implements IManagedPolicy { public readonly managedPolicyArn = managedPolicyArn; + public readonly managedPolicyName = Stack.of(scope).splitArn(managedPolicyArn, ArnFormat.SLASH_RESOURCE_NAME).resourceName!; } return new Import(scope, id); } @@ -166,6 +174,7 @@ export class ManagedPolicy extends Resource implements IManagedPolicy, IGrantabl resource: 'policy', resourceName: managedPolicyName, }); + public readonly managedPolicyName = managedPolicyName; } return new AwsManagedPolicy(); } diff --git a/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts b/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts index 540edbf65eff3..b49362ff82ac7 100644 --- a/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts +++ b/packages/aws-cdk-lib/aws-iam/test/managed-policy.test.ts @@ -21,6 +21,7 @@ describe('managed policy', () => { ':iam::aws:policy/service-role/SomePolicy', ]], }); + expect(stack.resolve(mp.managedPolicyName)).toEqual('service-role/SomePolicy'); }); test('simple customer managed policy', () => { @@ -33,12 +34,14 @@ describe('managed policy', () => { ':iam::1234:policy/SomeCustomerPolicy', ]], }); + expect(stack.resolve(mp.managedPolicyName)).toEqual('SomeCustomerPolicy'); }); test('managed policy by arn', () => { const mp = ManagedPolicy.fromManagedPolicyArn(stack, 'MyManagedPolicyByArn', 'arn:aws:iam::1234:policy/my-policy'); expect(stack.resolve(mp.managedPolicyArn)).toEqual('arn:aws:iam::1234:policy/my-policy'); + expect(stack.resolve(mp.managedPolicyName)).toEqual('my-policy'); }); test('managed policy with statements', () => { From 297e3c65cb2220eb683315a3cbb451272abf62bf Mon Sep 17 00:00:00 2001 From: jerry-shao Date: Sat, 6 Apr 2024 16:25:38 +0100 Subject: [PATCH 2/2] Remove unused comments --- .../lib/elastic-beanstalk/deploy-action.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts index 9784f27f707f8..b63c23c57bff1 100644 --- a/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts +++ b/packages/aws-cdk-lib/aws-codepipeline-actions/lib/elastic-beanstalk/deploy-action.ts @@ -52,7 +52,6 @@ export class ElasticBeanstalkDeployAction extends Action { // Per https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html // it doesn't seem we can scope this down further for the codepipeline action. - // options.role.addManagedPolicy({ managedPolicyArn: `arn:${Aws.PARTITION}:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk` }); options.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess-AWSElasticBeanstalk')); // the Action's Role needs to read from the Bucket to get artifacts